Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:21.0.0
Analysis ID:485992
Start time:16:18:02
Joe Sandbox Product:Cloud
Start date:22.01.2018
Overall analysis duration:0h 13m 59s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Xtaqxu6frQ (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:21
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
Detection:MAL
Classification:mal84.evad.spre.adwa.phis.spyw.troj.winEXE@25/41@29/1
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 60
  • Number of non-executed functions: 68
EGA Information:
  • Successful, ratio: 100%
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WmiApSrv.exe, conhost.exe, WMIADAP.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: fero.exe, chrome64x.exe, chrome64x.exe, chrome64x.exe


Detection

StrategyScoreRangeReportingDetection
Threshold840 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Signature Overview

Click to jump to signature section


Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to capture screen (.Net source)Show sources
Source: 4.2.fero.exe.680000.1.raw.unpack, OK.cs.Net Code: Ind
Source: 8.2.chrome64x.exe.6a0000.1.raw.unpack, OK.cs.Net Code: Ind
Source: 16.2.chrome64x.exe.550000.1.raw.unpack, OK.cs.Net Code: Ind
Source: 18.2.chrome64x.exe.3b0000.1.raw.unpack, OK.cs.Net Code: Ind

Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: fero.exeString found in binary or memory: Microsoft.AspNet.Mvc.Facebook.V+ equals www.facebook.com (Facebook)
Source: AcroRd32.exeString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: AcroRd32.exeString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: AcroRd32.exeString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: fero2003.ddns.net
Urls found in memory or binary dataShow sources
Source: fero.exeString found in binary or memory: file:///C:/Users/user/AppData/Local/Temp/chrome64x.exe
Source: fero.exeString found in binary or memory: file:///C:/Users/user/Desktop/
Source: fero.exeString found in binary or memory: file:///C:/Users/user/Desktop/fed
Source: fero.exeString found in binary or memory: file:///C:/Users/user/Desktop/fero.exe
Source: fero.exeString found in binary or memory: file:///C:/Users/user/Desktop/fero.exeindY
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia003118
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia003118/c/0
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia003118/c/0Vector.
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia003118/c/0file://AcrobatMedia003118/c/0file://AcrobatMedia003118/c/0
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia003118/c/0xi
Source: AcroRd32.exeString found in binary or memory: http://
Source: AcroRd32.exeString found in binary or memory: http://.acrocomcontent.com
Source: AcroRd32.exeString found in binary or memory: http://altright.com
Source: fire and fury.pdfString found in binary or memory: http://altright.com)
Source: AcroRd32.exeString found in binary or memory: http://cacerts.di
Source: AcroRd32.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: fire and fury.pdfString found in binary or memory: http://calibre-ebook.com
Source: fire and fury.pdfString found in binary or memory: http://calibre-ebook.com/xmp-namespace
Source: fire and fury.pdfString found in binary or memory: http://calibre-ebook.com/xmp-namespace-custom-columns
Source: fire and fury.pdfString found in binary or memory: http://calibre-ebook.com/xmp-namespace-series-index
Source: AcroRd32.exeString found in binary or memory: http://calibre-ebook.com/xmp-namespace6p
Source: AcroRd32.exeString found in binary or memory: http://calibre-ebook.com/xmp-namespace=p
Source: AcroRd32.exeString found in binary or memory: http://calibre-ebook.com/xmp-namespaceic/2.0/
Source: AcroRd32.exeString found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exeString found in binary or memory: http://cipa.jp/exif/1.0/KN1
Source: AcroRd32.exeString found in binary or memory: http://cipa.jp/exif/1.0/dN1
Source: AcroRd32.exeString found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: AcroRd32.exeString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: AcroRd32.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: AcroRd32.exeString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: AcroRd32.exeString found in binary or memory: http://crl.geotrust.com/crls/gtglobal.crl04
Source: AcroRd32.exeString found in binary or memory: http://crl.m
Source: AcroRd32.exeString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: AcroRd32.exeString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: AcroRd32.exeString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: AcroRd32.exeString found in binary or memory: http://crl.veris
Source: AcroRd32.exeString found in binary or memory: http://crl3.digicert.c
Source: AcroRd32.exeString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: AcroRd32.exeString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: AcroRd32.exeString found in binary or memory: http://crl4.E
Source: AcroRd32.exeString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: AcroRd32.exeString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: AcroRd32.exeString found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: AcroRd32.exeString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/m
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/t
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exeString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: AcroRd32.exeString found in binary or memory: http://ocsp.comodoca.com0%
Source: AcroRd32.exeString found in binary or memory: http://ocsp.comodoca.com0-
Source: AcroRd32.exeString found in binary or memory: http://ocsp.comodoca.com0/
Source: AcroRd32.exeString found in binary or memory: http://ocsp.comodoca.com05
Source: 1E11E75149C17A93653DA7DC0B8CF53F_7AF31CAFD5EA10EF3F1F95E6796CFF64.2.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOe
Source: 7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6.2.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8
Source: AcroRd32.exeString found in binary or memory: http://ocsp.digicert.com0
Source: AcroRd32.exeString found in binary or memory: http://ocsp.digicert.com0F
Source: AcroRd32.exeString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootCA.crlhttp://crl4.digicert.com/Di
Source: AcroRd32.exeString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/ssca-sha2-g6.crlhttp://crl4.digicert.com/ssca-sha2-
Source: AcroRd32.exeString found in binary or memory: http://ocsp.entrust.net03
Source: AcroRd32.exeString found in binary or memory: http://ocsp.entrust.net0D
Source: AcroRd32.exeString found in binary or memory: http://ocsp.geotrust.com0K
Source: fire and fury.pdfString found in binary or memory: http://prismstandard.org/namespaces/basic/2.0/
Source: AcroRd32.exeString found in binary or memory: http://prismstandard.org/namespaces/basic/2.0/Ep
Source: AcroRd32.exeString found in binary or memory: http://prismstandard.org/namespaces/basic/2.0/Lp
Source: AcroRd32.exeString found in binary or memory: http://recentfiles
Source: AcroRd32.exe, UserCache.bin.6.drString found in binary or memory: http://recentfiles.
Source: AcroRd32.exe, UserCache.bin.6.drString found in binary or memory: http://recentfiles.com.adobe.acrobat.extensions.files_description
Source: AcroRd32.exeString found in binary or memory: http://recentfilesH
Source: AcroRd32.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: AcroRd32.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: AcroRd32.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AcroRd32.exeString found in binary or memory: http://uri.etsi.org/01903/v1.1.1#
Source: AcroRd32.exeString found in binary or memory: http://ww
Source: AcroRd32.exeString found in binary or memory: http://www
Source: AcroRd32.exeString found in binary or memory: http://www.a
Source: AcroRd32.exeString found in binary or memory: http://www.adob
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/property#%
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/type#3
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/type#:
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfe/ns/id/2L1
Source: AcroRd32.exeString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: AcroRd32.exeString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: AcroRd32.exeString found in binary or memory: http://www.geotrust.com/resources/cps0(
Source: AcroRd32.exeString found in binary or memory: http://www.hachette.co.uk
Source: fire and fury.pdfString found in binary or memory: http://www.hachette.co.uk)
Source: AcroRd32.exeString found in binary or memory: http://www.littlebrown.co.uk
Source: fire and fury.pdfString found in binary or memory: http://www.littlebrown.co.uk)
Source: AcroRd32.exeString found in binary or memory: http://www.macromedia.com
Source: AcroRd32.exeString found in binary or memory: http://www.macromedia.comfile://AcrobatMedia003118/c/0file://AcrobatMedia003118
Source: AcroRd32.exeString found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exeString found in binary or memory: http://www.npes.org/pdfx/ns/id/~O1
Source: AcroRd32.exeString found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: AcroRd32.exeString found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: AcroRd32.exeString found in binary or memory: http://www.usertrust.com1
Source: AcroRd32.exeString found in binary or memory: https://
Source: AcroRd32.exeString found in binary or memory: https://.acrocomcontent.com
Source: AcroRd32.exeString found in binary or memory: https://QA
Source: AcroRd32.exeString found in binary or memory: https://WebServiceJob/com.adobe.acrobat.ADotCom/Resource/
Source: AcroRd32.exeString found in binary or memory: https://WebServiceJob/com.adobe.acrobat.ADotCom/Resource/api
Source: AcroRd32.exeString found in binary or memory: https://WebServiceJob/com.adobe.acrobat.RFLMAP/Resource/
Source: AcroRd32.exeString found in binary or memory: https://ims-na1.adobelogin.com
Source: AcroRd32.exeString found in binary or memory: https://ims-na1.adobelogin.com/
Source: AcroRd32.exeString found in binary or memory: https://secure.comodo.com/CPS0
Source: AcroRd32.exeString found in binary or memory: https://w
Source: ReaderMessages-journal.6.drString found in binary or memory: https://www.acro
Source: AcroRd32.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: AcroRd32.exeString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/
Source: AcroRd32.exeString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/Q
Source: AcroRd32.exeString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/broadcastMessage
Source: AcroRd32.exeString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/xehttps://www.macromedia.com/support/flashplayer/
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49194 -> 91.109.180.3:1177
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: fero2003.ddns.net

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run f39b6b3505175465947b62295a9a0ae2
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run f39b6b3505175465947b62295a9a0ae2
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f39b6b3505175465947b62295a9a0ae2
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f39b6b3505175465947b62295a9a0ae2
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f39b6b3505175465947b62295a9a0ae2.exe
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f39b6b3505175465947b62295a9a0ae2.exe
Creates autostart registry keys with suspicious namesShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f39b6b3505175465947b62295a9a0ae2
Drops PE files to the startup folderShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f39b6b3505175465947b62295a9a0ae2.exe

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f39b6b3505175465947b62295a9a0ae2.exe
Source: C:\Users\user\Desktop\fero.exeFile created: C:\Users\user\AppData\Local\Temp\chrome64x.exe
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeFile created: C:\Users\user\Desktop\fero.exe

Data Obfuscation:

barindex
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.83582372484
Source: initial sampleStatic PE information: section name: .text entropy: 7.83582372484
File is packed with WinRarShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_206875
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01391404 push eax; ret 1_2_01391422
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013920D6 push ecx; ret 1_2_013920E9
.NET source code contains potential unpackerShow sources
Source: 4.2.fero.exe.680000.1.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.chrome64x.exe.6a0000.1.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.chrome64x.exe.550000.1.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.chrome64x.exe.3b0000.1.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0138ECFC SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,SetDlgItemTextW,FindClose,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,SetDlgItemTextW,SetDlgItemTextW,1_2_0138ECFC
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0139C562 FindFirstFileExA,1_2_0139C562
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01382816 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_01382816
Contains functionality to spread to USB devices (.Net source)Show sources
Source: 4.2.fero.exe.680000.1.raw.unpack, OK.cs.Net Code: USBspr
Source: 8.2.chrome64x.exe.6a0000.1.raw.unpack, OK.cs.Net Code: USBspr
Source: 16.2.chrome64x.exe.550000.1.raw.unpack, OK.cs.Net Code: USBspr
Source: 18.2.chrome64x.exe.3b0000.1.raw.unpack, OK.cs.Net Code: USBspr
May infect USB drivesShow sources
Source: fero.exeBinary or memory string: autorun.inf![autorun]
Source: fero.exeBinary or memory string: autorun.inf![autorun]

System Summary:

barindex
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\fero.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Submission file is bigger than most known malware samplesShow sources
Source: Xtaqxu6frQ.exeStatic file information: File size 1571773 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeFile opened: C:\Windows\system32\MSVCR100.dll
PE file contains a mix of data directories often seen in goodwareShow sources
Source: Xtaqxu6frQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Xtaqxu6frQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Xtaqxu6frQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Xtaqxu6frQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Xtaqxu6frQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Xtaqxu6frQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Xtaqxu6frQ.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: Xtaqxu6frQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Users\verge\Documents\Visual Studio 2013\Projects\fero\fero\obj\Debug\fero.pdbh source: fero.exe
Source: Binary string: c:\Users\verge\Documents\Visual Studio 2013\Projects\fero\fero\obj\Debug\fero.pdb source: fero.exe
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: Xtaqxu6frQ.exe
PE file contains a valid data directory to section mappingShow sources
Source: Xtaqxu6frQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Xtaqxu6frQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Xtaqxu6frQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Xtaqxu6frQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Xtaqxu6frQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
.NET source code contains calls to encryption/decryption functionsShow sources
Source: chrome64x.exe.4.dr, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: f39b6b3505175465947b62295a9a0ae2.exe.8.dr, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Binary contains paths to development resourcesShow sources
Source: Xtaqxu6frQ.exeBinary or memory string: 3.vbP.v
Classification labelShow sources
Source: classification engineClassification label: mal84.evad.spre.adwa.phis.spyw.troj.winEXE@25/41@29/1
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_206875
Creates temporary filesShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\FAP3C6E.tmp
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
PE file has an executable .text section and no other executable sectionShow sources
Source: Xtaqxu6frQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\fero.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Reads ini filesShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeFile read: C:\Windows\win.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Xtaqxu6frQ.exe 'C:\Users\user\Desktop\Xtaqxu6frQ.exe'
Source: unknownProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\fire and fury.pdf'
Source: unknownProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' /b /id 1480_3105 /if pdfshell_shedd541f9-0a3b-42a7-bd11-13068122ae87 --shell-broker-channel=broker_pdfshell_sh5b51dfb1-1b62-42d0-9543-3d235f71fc8f
Source: unknownProcess created: C:\Users\user\Desktop\fero.exe 'C:\Users\user\Desktop\fero.exe'
Source: unknownProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3400.0.2047977454 --type=renderer --shell-broker-channel=broker_pdfshell_sh5b51dfb1-1b62-42d0-9543-3d235f71fc8f /b /id 1480_3105 /if pdfshell_shedd541f9-0a3b-42a7-bd11-13068122ae87
Source: unknownProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3384.0.766126944 --type=renderer 'C:\Users\user\Desktop\fire and fury.pdf'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\chrome64x.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' 'chrome64x.exe' ENABLE
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' ..
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' ..
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f39b6b3505175465947b62295a9a0ae2.exe
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\chrome64x.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\chrome64x.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\fire and fury.pdf'
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess created: C:\Users\user\Desktop\fero.exe 'C:\Users\user\Desktop\fero.exe'
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3384.0.766126944 --type=renderer 'C:\Users\user\Desktop\fire and fury.pdf'
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3400.0.2047977454 --type=renderer --shell-broker-channel=broker_pdfshell_sh5b51dfb1-1b62-42d0-9543-3d235f71fc8f /b /id 1480_3105 /if pdfshell_shedd541f9-0a3b-42a7-bd11-13068122ae87
Source: C:\Users\user\Desktop\fero.exeProcess created: C:\Users\user\AppData\Local\Temp\chrome64x.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' 'chrome64x.exe' ENABLE
Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\chrome64x.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\chrome64x.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: chrome64x.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: f39b6b3505175465947b62295a9a0ae2.exe.8.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Contains functionality to call native functionsShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579E90 NtMapViewOfSection,5_2_00579E90
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_005799D0 NtCreateKey,5_2_005799D0
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579890 NtQueryAttributesFile,5_2_00579890
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579B50 NtOpenSection,5_2_00579B50
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579AD0 NtCreateMutant,5_2_00579AD0
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579850 NtOpenFile,5_2_00579850
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579800 NtCreateFile,5_2_00579800
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579B10 NtCreateSection,5_2_00579B10
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579A10 NtOpenKey,5_2_00579A10
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579A50 NtOpenKeyEx,5_2_00579A50
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 5_2_00579910 NtSetInformationFile,5_2_00579910
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177250 NtOpenKeyEx,6_2_00177250
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_001772D0 NtCreateMutant,6_2_001772D0
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177350 NtOpenSection,6_2_00177350
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177110 NtSetInformationFile,6_2_00177110
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177690 NtMapViewOfSection,6_2_00177690
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177390 NtDeleteValueKey,6_2_00177390
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177050 NtOpenFile,6_2_00177050
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177310 NtCreateSection,6_2_00177310
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177000 NtCreateFile,6_2_00177000
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177090 NtQueryAttributesFile,6_2_00177090
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_001771D0 NtCreateKey,6_2_001771D0
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 6_2_00177210 NtOpenKey,6_2_00177210
Creates files inside the system directoryShow sources
Source: C:\Windows\explorer.exeFile created: C:\Windows\AppPatch\pcamain.sdb
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013870581_2_01387058
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01389E791_2_01389E79
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013A30641_2_013A3064
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013931E41_2_013931E4
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01384D7F1_2_01384D7F
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0139E6401_2_0139E640
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013843C71_2_013843C7
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01383FAF1_2_01383FAF
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0139EAEE1_2_0139EAEE
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013849481_2_01384948
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013943621_2_01394362
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013815951_2_01381595
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013936E01_2_013936E0
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01393F2D1_2_01393F2D
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01393AF81_2_01393AF8
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0138929D1_2_0138929D
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013970A21_2_013970A2
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: String function: 01391430 appears 44 times
PE file contains executable resources (Code or Archives)Show sources
Source: Xtaqxu6frQ.exeStatic PE information: Resource name: RT_STRING type: ump; Hitachi SH big-endian COFF object, not stripped
Reads the hosts fileShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: Xtaqxu6frQ.exeBinary or memory string: OriginalFilenamefero.exe, vs Xtaqxu6frQ.exe
Source: Xtaqxu6frQ.exeBinary or memory string: OriginalFilenameuser32j% vs Xtaqxu6frQ.exe
Source: Xtaqxu6frQ.exeBinary or memory string: OriginalFilenameMSCTF.DLL.MUIj% vs Xtaqxu6frQ.exe
Source: Xtaqxu6frQ.exeBinary or memory string: System.OriginalFileName vs Xtaqxu6frQ.exe
Source: Xtaqxu6frQ.exeBinary or memory string: originalfilename vs Xtaqxu6frQ.exe
Source: Xtaqxu6frQ.exeBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Xtaqxu6frQ.exe
Source: Xtaqxu6frQ.exeBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs Xtaqxu6frQ.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeFile read: C:\Users\user\Desktop\Xtaqxu6frQ.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: AcroRd32.exeBinary or memory string: Progman
Source: AcroRd32.exeBinary or memory string: Program Manager
Source: AcroRd32.exeBinary or memory string: Shell_TrayWnd
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\fire and fury.pdf'
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess created: C:\Users\user\Desktop\fero.exe 'C:\Users\user\Desktop\fero.exe'
Source: C:\Users\user\Desktop\fero.exeProcess created: C:\Users\user\AppData\Local\Temp\chrome64x.exe 'C:\Users\user\AppData\Local\Temp\chrome64x.exe'
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' 'chrome64x.exe' ENABLE

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01392035 SetUnhandledExceptionFilter,1_2_01392035
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01391EA3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_01391EA3
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0139A2D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0139A2D5
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01392327 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_01392327
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\fero.exeMemory allocated: page read and write and page guard
Checks for debuggers (devices)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_desktop_081ed9a3f3f73382.cdf-ms
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_appdata_local_temp_c71c0f136cf24ef2.cdf-ms
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\program_files_adobe_reader_11.0_reader_1cc3b67bab52e14c.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\fero.exeSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01391EA3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_01391EA3
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_013991B4 mov eax, dword ptr fs:[00000030h]1_2_013991B4
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0139D230 GetProcessHeap,1_2_0139D230
Enables debug privilegesShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0138ECFC SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,SetDlgItemTextW,FindClose,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,SetDlgItemTextW,SetDlgItemTextW,1_2_0138ECFC
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0139C562 FindFirstFileExA,1_2_0139C562
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01382816 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_01382816
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01390F5F VirtualQuery,GetSystemInfo,1_2_01390F5F
Program exit pointsShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeAPI call chain: ExitProcess graph end nodegraph_1-20380
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeWindow / User API: threadDelayed 10081
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exe TID: 3944Thread sleep count: 10081 > 30
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exe TID: 2456Thread sleep time: -120000s >= -60000s
Source: C:\Windows\explorer.exe TID: 4004Thread sleep time: -120000s >= -60000s
Source: C:\Windows\explorer.exe TID: 4064Thread sleep time: -120000s >= -60000s
Source: C:\Windows\explorer.exe TID: 4080Thread sleep time: -120000s >= -60000s
Source: C:\Windows\explorer.exe TID: 4076Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 2116Thread sleep time: -60000s >= -60000s
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exe TID: 2408Thread sleep time: -922337203685477s >= -60000s
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exe TID: 2156Thread sleep time: -922337203685477s >= -60000s

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fero.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeProcess information set: NOOPENFILEERRORBOX

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the internet feature controls of the internet explorerShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeRegistry value created: HKEY_USERS\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Disables zone checking for all usersShow sources
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeRegistry value created: HKEY_USERS\Environment SEE_MASK_NOZONECHECKS
Modifies the windows firewallShow sources
Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' 'chrome64x.exe' ENABLE
Uses netsh to modify the Windows network and firewall settingsShow sources
Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\chrome64x.exe' 'chrome64x.exe' ENABLE

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0139085C OleInitialize,GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,LoadBitmapW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,CoUninitialize,1_2_0139085C
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_0138299B GetVersionExW,1_2_0138299B
Queries the cryptographic machine GUIDShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: GetLocaleInfoW,GetNumberFormatW,1_2_0138DB87
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\Xtaqxu6frQ.exeCode function: 1_2_01385C5C cpuid 1_2_01385C5C
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\fero.exeQueries volume information: C:\Users\user\Desktop\fero.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\chrome64x.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\chrome64x.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome64x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\chrome64x.exe VolumeInformation

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 485992 Sample: Xtaqxu6frQ Startdate: 22/01/2018 Architecture: WINDOWS Score: 84 45 .NET source code contains potential unpacker 2->45 47 May infect USB drives 2->47 49 Detected TCP or UDP traffic on non-standard ports 2->49 51 5 other signatures 2->51 8 Xtaqxu6frQ.exe 7 2->8         started        11 AcroRd32.exe 16 2->11         started        13 explorer.exe 2->13         started        15 5 other processes 2->15 process3 file4 39 C:\Users\user\Desktop\fero.exe, PE32 8->39 dropped 17 fero.exe 3 2 8->17         started        20 AcroRd32.exe 12 61 8->20         started        22 AcroRd32.exe 10 11->22         started        24 chrome64x.exe 13->24         started        26 chrome64x.exe 15->26         started        process5 file6 37 C:\Users\user\AppData\Local\...\chrome64x.exe, PE32 17->37 dropped 28 chrome64x.exe 17->28         started        33 AcroRd32.exe 20->33         started        process7 dnsIp8 43 fero2003.ddns.net 91.109.180.3, 1177, 49194, 49196 IELOIELOMainNetworkFR France 28->43 41 C:\...\f39b6b3505175465947b62295a9a0ae2.exe, PE32 28->41 dropped 53 Disables zone checking for all users 28->53 55 Creates autostart registry keys with suspicious names 28->55 57 Drops PE files to the startup folder 28->57 35 netsh.exe 28->35         started        file9 59 Detected TCP or UDP traffic on non-standard ports 43->59 signatures10 process11

Simulations

Behavior and APIs

TimeTypeDescription
16:19:25API Interceptor912x Sleep call for process: AcroRd32.exe modified from: 60000ms to: 5000ms
16:19:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run f39b6b3505175465947b62295a9a0ae2 "C:\Users\user\AppData\Local\Temp\chrome64x.exe" ..
16:19:42API Interceptor1x Sleep call for process: netsh.exe modified from: 60000ms to: 5000ms
16:19:42API Interceptor14x Sleep call for process: explorer.exe modified from: 60000ms to: 5000ms
16:19:42AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run f39b6b3505175465947b62295a9a0ae2 "C:\Users\user\AppData\Local\Temp\chrome64x.exe" ..
16:19:42AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f39b6b3505175465947b62295a9a0ae2.exe
16:19:46API Interceptor8x Sleep call for process: chrome64x.exe modified from: 60000ms to: 5000ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot